Outside modifying the registry itself, the Local Group Policy Editor is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires Pro Edition or better.
These settings should be set on a brand-new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictable behavior and is done at your own risk.
All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We’ve also explained some of our choices below whenever the explanation included with Windows is inadequate.
Computer Configuration: Administrative Templates
You can find these settings by opening gpedit.msc and navigating to Local Computer Policy > Computer Configuration > Administrative Templates in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that’s the case the appropriate settings are noted below as well.
Control Panel
- Allow Online Tips: Disabled
Regional and Language Options
- Regional and Language Options → Allow users to enable online speech recognition services: Disabled
- Regional and Language Options → Handwriting personalization → Turn off automatic learning: Enabled
Start Menu and Task Bar
- Do not keep history of recently opened documents: Enabled
- Remove Personalized Website Recommendations from the Recommended section in the Start Menu: Enabled
Notifications
- Turn off notifications network usage: Enabled
System
Device Guard
- Turn On Virtualization Based Security: Enabled
- Platform Security Level: Secure Boot and DMA Protection
- Secure Launch Configuration: Enabled
Internet Communication Management
- Turn off Windows Customer Experience Improvement Program: Enabled
- Turn off Event Viewer “Event.asp” links: Enabled
- Turn off Help and Support Center “Did you know?” content: Enabled
- Turn off Help and Support Center Microsoft Knowledge Base search: Enabled
- Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com: Enabled
- Turn off Internet download for Web publishing and online ordering wizards: Enabled
- Turn off Windows Error Reporting: Enabled
- Turn off Internet File Association service: Enabled
- Turn off Search Companion content file updates: Enabled
- Turn off the “Order Prints” picture task: Enabled
- Turn off the “Publish to Web” task for files and folders: Enabled
- Turn off Windows Network Connectivity Status Indicator active tests: Enabled
- Turn off the Windows Messenger Customer Experience Improvement Program: Enabled
Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don’t list them all here or disable them because this setting covers that.
OS Policies
- Allow Clipboard History: Disabled
- Allow Clipboard synchronization across devices: Disabled
- Enables Activity Feed: Disabled
- Allow publishing of User Activities: Disabled
- Allow upload of User Activities: Disabled
User Profiles
- Turn off the advertising ID: Enabled
Windows Components
AutoPlay Policies
AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It’s a security best practice to disable these features, and simply open files on your external disks manually.
- Turn off AutoPlay: Enabled
- Disallow Autoplay for nonvolume devices: Enabled
- Set the default behavior for AutoRun: Enabled
- Default AutoRun Behavior: Do not execute any AutoRun commands
BitLocker Drive Encryption
You may wish to re-encrypt your operating system drive after changing these settings.
- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): Enabled
- Select the encryption method: AES-256
Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
Operating System Drives
- Require additional authentication at startup: Enabled
- Allow enhanced PINs for startup: Enabled
Despite the names of these policies, this doesn’t require you to do anything by default, but it will unlock the option to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the BitLocker setup wizard.
Cloud Content
- Turn off cloud optimized content: Enabled
- Turn off cloud consumer account state content: Enabled
- Do not show Windows tips: Enabled
- Turn off Microsoft consumer experiences: Enabled
Credential User Interface
- Require trusted path for credential entry: Enabled
- Prevent the use of security questions for local accounts: Enabled
Data Collection and Preview Builds
- Allow Diagnostic Data: Enabled
- Options: Send required diagnostic data (Pro Edition); or
- Options: Diagnostic data off (Enterprise or Education Edition)
- Limit Diagnostic Log Collection: Enabled
- Limit Dump Collection: Enabled
- Limit optional diagnostic data for Desktop Analytics: Enabled
- Options: Disable Desktop Analytics collection
- Do not show feedback notifications: Enabled
File Explorer
- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: Enabled
Find My Device
- Turn on/off Find My Device: Disabled
MDM
- Disable MDM Enrollment: Enabled
Microsoft Edge
- Configure search suggestions in Address bar: Disabled
- Configure Windows Defender SmartScreen: Disabled
OneDrive
- Save documents to OneDrive by default: Disabled
- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: Enabled
- Prevent the usage of OneDrive for file storage: Enabled
This last setting disables OneDrive on your system; make sure to change it to Disabled if you use OneDrive.
Push To Install
- Turn off Push To Install service: Enabled
Search
- Allow Cloud Search: Disabled
- Allow Cortana: Disabled
- Don’t search the web or display web results in Search: Enabled
- Set what information is shared in Search: Enabled
- Type of information: Anonymous info
Sync your settings
- Do not sync: Enabled
Text input
- Improve inking and typing recognition: Disabled
Widgets
- Allow widgets: Disabled
Windows AI
Windows 11 recently introduced a feature called Recall, which records all your activity and creates a searchable archive of that activity history. This is a massive privacy vulnerability, because those archives can potentially store highly sensitive information (essentially anything displayed on your screen), and can be trivially accessed by local administrators or malicious actors with user-level access to your device.
- Turn off saving snapshots of Windows: Enabled
Windows Error Reporting
- Do not send additional data: Enabled
- Consent > Configure Default consent: Enabled
- Consent level: Always ask before sending data
Windows Messenger
- Do not allow Windows Messenger to be run: Enabled
User Configuration: Administrative Templates
You can find these settings by opening gpedit.msc and navigating to Local Computer Policy > User Configuration > Administrative Templates in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
Start Menu and Taskbar
- Clear history of recently opened documents on exit: Enabled
- Do not search Internet: Enabled
- Turn off user tracking: Enabled
Account notifications
- Turn off account notifications in Start: Enabled
Cloud Content
- Do not suggest third-party content in Windows spotlight: Enabled
- Do not use diagnostic data for tailored experiences: Enabled
- Turn off all Windows spotlight features: Enabled
Desktop Gadgets
- Turn off desktop gadgets: Enabled
Search
- Turn off storage and display of search history: Enabled
Windows Copilot
- Turn off Windows Copilot: Enabled
Last edited by @banana 2025-06-18T20:58:36Z